EXECUTIVE BRIEF
After years of regulatory review and widespread initial skepticism about its viability, the government's phased rollout of CMMC 2.0 is set to begin on November 10, 2025. This means CMMC requirements will finally begin appearing in new defense contracts and option years of existing contracts.
But the new requirements will be applied incrementally, not all at once. There’s still time for contractors to get ahead of the certification process before Level 2 (C3PAO) requirements really kick in.
This blog post breaks down the latest CMMC 2.0 updates, what they mean for your business, and how you can prepare for upcoming certification requirements.
Whether you’re already deep into compliance efforts or just getting started, continue reading to ensure your cybersecurity strategy aligns with the DoD’s latest expectations.
32 CFR Part 170 (The CMMC Program Rule) was published in the Federal Register on October 15, 2024 and went into effect 60 days later on December 16, 2024. This formally established the CMMC 2.0 program — its structure, levels, assessment types, roles, waivers, etc. — and launched the CMMC marketplace. Defense contractors have been able to undergo their Level 2 assessment and achieve their CMMC Certificate of Status ever since.
The final 48 CFR rule (CMMC in Contracts) was published on September 10, 2025 and goes into effect on November 10, 2025. This rule amends acquisition regulations — specifically the Defense Federal Acquisition Regulation Supplement (DFARS) — to include CMMC requirements in DoD solicitations and contracts. Starting on November 10, contracting officers may demand CMMC compliance (via clauses like DFARS 252.204‑7025) and contractors must hold valid CMMC status when required (DFARS 252.204-7021).
Understanding the timeline for the implementation of CMMC 2.0 is crucial for ensuring your business remains eligible to bid on DoD contracts. Here's an overview of the phased rollout process along with some key milestones.
The first phase of CMMC implementation begins on November 10, 2025. The DoD has adopted a four-phase approach to implement CMMC 2.0 that unfolds over three years:
Phase 1 begins with the effective date of the CMMC Title 48 rule, November 10, 2025. During this phase, Level 1 and 2 self-assessment requirements will be included in applicable solicitations and contracts as a condition of award.
Phase 2 starts one calendar year after Phase 1, on November 10, 2026. Level 2 third-party assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) become a condition for contract awards.
Phase 3 initiates one calendar year after Phase 2 begins, involving government-led Level 3 assessments for contracts handling the most sensitive Controlled Unclassified Information (CUI).
Phase 4 arrives one year after Phase 3, marking full implementation with CMMC requirements included in all applicable DoD solicitations and contracts, including option periods.
December 16, 2024: The CMMC Final Rule (CFR 32) became effective.
January 2, 2025: CMMC assessments commenced.
September 10, 2025: CMMC Title 48 rule is published into the Federal Register with an effective date of November 10, 2025.
November 10, 2025: CMMC requirements will start appearing in new DoD solicitations and option years.
November 2028: Target date for full implementation, with all DoD contracts including CMMC requirements.
It should be noted that prime contractors can flow down these requirements to their supply chain well in advance of the government roll out.
The final publication of CMMC 2.0 in December, 2024 marked a big milestone in a long process. CMMC 2.0 was first introduced in November 2021 to streamline and simplify the original CMMC 1.0 framework proposed about a year and a half prior at the start of 2020.
If you’re familiar with CMMC 1.0, you might recall the significant complexity and challenges it posed for many small to mid-sized defense contractors. The DoD introduced CMMC 2.0 to simplify the process while still ensuring strong cybersecurity standards. Let’s break down the key differences and how they impact you.
One of the most notable changes in CMMC 2.0 is the shift from a five-tiered model to a simplified three-tiered model, making compliance more accessible and more easily understood.
While CMMC 1.0’s five level approach was thorough, it often proved overwhelming for small and mid-sized contractors, particularly those unfamiliar with advanced cybersecurity practices. With CMMC 2.0, the DoD has streamlined the framework by reducing the number of compliance levels from to the following three:
Another significant update in CMMC 2.0 is the removal of the 20 unique practices that were part of the original CMMC 1.0 framework. In CMMC 1.0, these practices were introduced as additional requirements beyond established cybersecurity standards like NIST SP 800-171. While they aimed to enhance security, they often caused confusion and increased the complexity of compliance for contractors.
With CMMC 2.0, the DoD has eliminated these unique practices, fully aligning the framework with existing, well-recognized standards derived from NIST SP 800-171 and NIST 800-172. This simplifies compliance and eliminates redundancy. For contractors, this means you can focus on adhering to established, well-documented standards without worrying about additional, unique requirements and more easily integrate CMMC compliance into your existing cybersecurity efforts. If you’re already implementing NIST SP 800-171 controls, you’re well on your way to meeting the requirements of CMMC 2.0.
CMMC 2.0 introduces a major change in how assessments are conducted. Under CMMC 1.0, every contractor, regardless of the level they were pursuing, was required to undergo a third-party assessment conducted by a C3PAO. While thorough, this approach would have been time-consuming and costly, especially for smaller businesses.
CMMC 2.0 takes a more flexible approach, tailoring assessment requirements based on the level of compliance. Level 1 requires an annual self-assessment and annual affirmation. For the majority of companies at Level 2, a C3PAO assessment is required every three years, though select programs may only require a self-assessment every three years. In both cases, affirmation is required annually. For the relatively small number of contractors aiming for Level 3 certification, a DIBAC assessment is required every three years along with an annual affirmation.
By introducing self-assessment options at Levels 1 and 2, CMMC 2.0 reduces costs and administrative burdens for contractors who don’t handle highly sensitive data. At the same time, the use of third-party and government-led assessments at higher levels ensures that robust security measures are verified where they’re most needed.
One of the most contractor-friendly updates in CMMC 2.0 is the introduction of Plans of Action and Milestones (POA&Ms). Under CMMC 1.0, full compliance was required at the time of certification. This meant that even minor deficiencies could prevent you from achieving certification, often leading to significant delays and additional costs.
CMMC 2.0 offers a more practical approach. With the allowance of POA&Ms, your organization can achieve conditional certification while addressing minor gaps over time. POA&Ms let you document specific areas where your organization falls short and outline actionable steps and timelines for addressing them. This reduces the immediate financial and operational burden for small and mid-sized contractors, letting you focus on the most critical aspects of cybersecurity before addressing minor deficiencies.
However, it’s important to note that POA&Ms aren’t a free pass. The DoD will set strict parameters around their use, including:
ISI Insight: If you’re wondering what controls can’t go on a POA&M, a general rule is any control worth more than one point in the DoD’s scoring methodology will not be permitted.
CMMC 2.0 introduces a new waiver process, giving contractors greater flexibility in meeting compliance requirements under certain conditions. In CMMC 1.0, no waiver process existed, meaning that contractors had to fully comply with all requirements, regardless of whether specific circumstances justified an exception. This rigid approach would have created challenges for businesses working within tight deadlines or unique operational constraints.
Under CMMC 2.0, the introduction of waivers allows companies to address specific challenges in their contract while maintaining their eligibility for DoD contracts. Here’s what you need to know about this change:
This new process benefits contractors by better balancing flexibility with accountability. If you’re working on a non-prioritized contract and face challenges meeting a specific requirement within a tight timeline, a waiver could allow you to proceed with the understanding that the requirement will be addressed in the future. This process helps contractors navigate real-world challenges while ensuring that cybersecurity remains a top priority.
|
CMMC 1.0 |
CMMC 2.0 |
|
5 Levels with increasing requirements. |
Reduced to 3 Levels to simplify compliance. |
|
Included 20 bespoke practices. |
Extra practices removed; fully aligns with NIST standards. |
|
Third-party assessments for all levels. |
Self-assessments for Level 1 and some Level 2; third-party and government-led assessments for higher levels. |
|
Not allowed; full compliance required upfront. |
POA&Ms allowed for addressing minor deficiencies for Level 2 and Level 3. |
|
Incorporated various frameworks with additional unique elements. |
Fully aligned with NIST SP 800-171 and SP 800-172. |
The changes introduced in CMMC 2.0 have significant implications extending beyond just the prime contractors to the entire DoD supply chain. If your business handles FCI or CUI at any level, understanding and complying with these requirements is essential. Prime contractors must ensure their own compliance and verify that their subcontractors meet the necessary requirements. Subcontractors are equally accountable for meeting CMMC requirements, as their work often involves handling FCI or CUI shared by their primes.
Failing to meet CMMC 2.0 requirements by the specified deadlines can have serious consequences for your business, including:
To avoid these pitfalls, it's imperative to begin preparing for CMMC 2.0 compliance immediately. Assess your current cybersecurity posture, identify gaps, and develop a plan to meet the necessary requirements ahead of the deadlines. Early action will position your business for continued success within the defense contracting landscape.
Despite CMMC 2.0’s simplified process, achieving CMMC compliance is still a complicated and time-consuming process. Here’s a checklist for how to get started with your CMMC journey:
For more details on each of these steps, check out your CMMC checklist.
CMMC 2.0 is more than just a compliance framework—it’s a strategic investment in the future of your business and the security of the DIB. By aligning with its requirements, you position yourself as a competitive and reliable partner in the DoD supply chain.
Meeting the new standards early will position you at the forefront of the defense community. Demonstrating compliance enhances your security posture, improves your operational resilience against evolving and emerging threats, and showcases your commitment to protecting sensitive information.
With our help, achieving early compliance with CMMC 2.0 regulations can sharpen your competitive edge in the DIB. At ISI Enterprises, we specialize in helping contractors like you navigate the CMMC 2.0 compliance process with confidence. Whether you’re conducting a gap analysis, developing your POA&M, or preparing for a third-party assessment, our team of experts is here to provide tailored support every step of the way.
Don’t wait until looming deadlines leave your business at risk of losing contracts and straining your resources. Contact us today for guidance and expert advice.
CMMC will not replace NIST 800-171. Instead, CMMC 2.0 is designed to work in alignment with NIST standards, particularly NIST SP 800-171 and SP 800-172. CMMC acts as a framework to ensure that contractors implement and maintain the cybersecurity controls outlined in these standards.
CMMC stands for Cybersecurity Maturity Model Certification. It’s a framework developed by the U.S. Department of Defense (DoD) to ensure that contractors and subcontractors in the Defense Industrial Base (DIB) meet standardized cybersecurity requirements to safeguard Controlled Unclassified Information (CUI) across federal supply chains.
Any company in the DoD supply chain that handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) will need a CMMC certification to be eligible for future contracts. This includes prime contractors and subcontractors: even those with limited access to sensitive data. This makes CMMC a critical compliance step for the entire DIB.
The original CMMC model proposed in 2020 had five maturity levels ranging from basic cyber hygiene to advanced cybersecurity practices (see the chart above). However, with the introduction of CMMC 2.0, the framework was streamlined to three levels:
These reflect the sensitivity of information a contractor handles and the required level of cybersecurity protections.
While CMMC focuses on protecting CUI within DoD contractors, FedRAMP (Federal Risk and Authorization Management Program) governs cloud service providers across all federal agencies. CMMC is specific to DoD contracts and assesses organizational cybersecurity practices, while FedRAMP ensures cloud services meet federal security standards.
CMMC is overseen by the U.S. Department of Defense through its Office of the Chief Information Officer. The Cyber AB (Accreditation Body)—formerly known as the CMMC-AB—manages the ecosystem of certified assessors, trainers, and consultants under DoD direction.
The 48 CFR rule (CMMC in Contracts) rule amends acquisition regulations to include CMMC requirements in DoD solicitations and contracts. It was published on September 10, 2025 and goes into effect on November 10, 2025. Starting on that date, contracting officers may demand CMMC compliance (via clauses like DFARS 252.204‑7021) and contractors must hold valid CMMC status when required.
There is only one overarching CMMC framework, but there are two rules that implement it. CFR 32 defines the CMMC structure, creates the CMMC marketplace, and establishes roles such as CMMC C3PAOs. CFR 48 enforces CMMC by integrating it into federal contracts.
The timeline to become CMMC certified varies based on your organization’s current posture. For most small to midsize defense contractors, expect 8 to 12 months to fully prepare, implement necessary security measures, and complete the assessment process—especially for CMMC Level 2 compliance.
Parts of CMMC 2.0 — such as the establishment of the CMMC marketplace and the assessment process for CMMC Level 2 Certificates of Status — have been in effect since the end of 2024. The full phased roll-out of CMMC requirements in all new DoD contracts begins in November 2025 and will be completed by November 2028.
CMMC requirements will begin appearing in DoD contracts starting November 10, 2025, following the effective date of the 48 CFR final rule. However, the rollout will be phased over several years, not immediate or universal. This means only select contracts will include CMMC requirements at first and the number will increase over time. Contractors shouldn’t wait for CMMC to appear in their specific contract before preparing; early readiness offers a strategic advantage as compliance becomes more widespread across the defense supply chain.
Preparation depends on your current cybersecurity maturity, but most defense contractors need 3 to 9 months to conduct a gap analysis, implement missing controls, and establish evidence to demonstrate compliance. Engaging a partner early can reduce time, cost, and stress.
Costs vary widely based on your size and security gaps. For small to mid-sized defense contractors, expect it to cost from $15K to $100K+ depending on whether you’re building from scratch, upgrading systems, or leveraging managed services. CMMC is a cost of doing business in the defense sector—but also a competitive advantage.
Yes, CMMC requirements flow down to all subcontractors handling CUI or FCI on a covered contract. Primes are responsible for ensuring their subcontractors meet the necessary certification level—making CMMC compliance a shared responsibility across the entire supply chain.
CMMC 2.0 defines three levels of compliance, each tailored to the sensitivity of the information being protected. Level 1 focuses on basic cybersecurity practices, requiring 17 controls from FAR 52.204-21 to safeguard FCI. Level 2 applies to contractors handling CUI and requires implementation of all 110 controls from NIST SP 800-171. Level 3 is for the most sensitive contracts involving critical CUI and builds upon Level 2 by incorporating additional advanced controls from NIST SP 800-172.
The CMMC 2.0 level you should pursue depends on the type of information your organization handles and the requirements outlined in your contracts. It’s expected, however, that the majority of DoD contractors seeking CMMC compliance will likely be aiming to meet Level 2 requirements.